Slashdot Mirror

← Back to Stories (view on slashdot.org)

98% of DNS Queries at the Root Level are Unnecessary

Posted by ryuzaki0 on from the internet-would-be-fine-if-it-weren't-for-users dept.

LEPP writes "Scientists at the San Diego Supercomputer Centerfound that 98% of the DNS queries at the root level are unnecessary. This doesn't even take into account the 99.9% of web pages suck or are unnecessary anyways. This means that the remaining 2% of necessary DNS queries are probably not necessary either."

12 of 426 comments (clear)

  1. AOL by almeida · · Score: 5, Interesting

    On a similar note, I noticed that AOL causes a lot of DNS lookups. From what I can see from my firewall logs, each TCP connection from an AOL user is handled by a separate proxy. Each proxy then does its own lookup on the host. So, for a normal sized webpage with some images or whatever, you get like 10 TCP connections for the content and 10 UDP connections for the DNS lookup. Seems kind of excessive to me.

    1. Re:AOL by cyb97 · · Score: 5, Interesting
      AOL always screws up webpage statistics (which I guess can be a good thing as the only dufuzes that really really care about statistics are marketers?)...

      I can't count the number of times I've seen a massive spike in number of "unique visitors" just to look at the hosts and find *.proxy.aol.com filling the whole thing....

    2. Re:AOL by micromoog · · Score: 3, Interesting

      Hmmmmmmm, I wonder if this could even constiture fraud. If web publishers believe a larger number of AOL'ers are visiting their site than actually do, wouldn't they be inclined to pay more for adverts on AOL's portal?

  2. News you can use by El_Smack · · Score: 5, Interesting

    From the article:
    "Researchers believe that many bad requests occur because organizations have misconfigured packet filters and firewalls, security mechanisms intended to restrict certain types of network traffic. When packet filters and firewalls allow outgoing DNS queries, but block the resulting incoming responses..."
    It's nice to see a story with info I can take and use. This is actually "stuff that matters".
    Kudos to the researchers, and now I am off to check my firewall.

    --


    There are 01 kinds of cars in the world. The General Lee, and everything else.
  3. Ignant by edraven · · Score: 5, Interesting
    In addition, 7 percent of all the queries already contained an IP address instead of a host name, which made the job of mapping it to an IP address irrelevant.


    Is it just me, or is this a description of a reverse lookup? How does that qualify as unnecessary? This is a pretty common step in troubleshooting, and some software does a reverse lookup following a forward lookup to verify that the hostname it gets back is the same one it started with.

    Chuckles
  4. Incorrect top-level domains by jb_nizet · · Score: 5, Interesting
    About 12 percent of the queries received by the root server on Oct. 4, were for nonexistent top-level domains, such as ".elvis", ".corp", and ".localhost"

    Why don't DNS servers have a list of correct top-level domains, in order to answer directly, without going to a root server? The list is short, compared to the information the DNS server caches already, and the content of the list doesn't change so often. This list could be downloaded once in a day or so, from the DNS root servers.

    When packet filters and firewalls allow outgoing DNS queries, but block the resulting incoming responses, software on the inside of the firewall can make the same DNS queries over and over, waiting for responses that can't get through

    Why the hell does a firewall accept outgoing queries to black-listed domain names, if they are configured to block the response to these queries? This seems like a serious misconception to me.

    JB.

  5. Not really "broken" queries by dachshund · · Score: 5, Interesting
    About 12 percent of the queries received by the root server on Oct. 4, were for nonexistent top-level domains, such as ".elvis", ".corp", and ".localhost".

    And that's a problem? My understanding was dealing with this sort of thing was exactly the purpose of the root DNS servers. If every ISP's DNS server was pre-configured to recognize valid and invalid top-level domains, you could just set them up to go straight to the specific DNS servers handling those domains (.com, .net, .org, etc.) There would be no need for a root-level system.

    The argument for allowing this kind of cracked query through to the root server is that it makes it easy to add new domains (.elvis, .corp, what have you) without forcing everyone to reconfigure their DNS boxes for each new top-level domain.

  6. Re:The real root of the problem... by TheShadow · · Score: 4, Interesting

    Ummm... what does IPv6 have to do with DNS vanishing? With 128-bit IP addresses in an ugly hex-colon notation... DNS will be even more important when people move to IPv6.

    The problem with DNS (and SMTP) is that they are protocols developed during a time where everyone on the internet was operating in a cooperative mode. Now that there is a proliferation of SPAM and DOS attacks, these old protocols break down because they were not developed with security in mind.

    DNS will not go away. But the protocol will probably change at some point.

    --

    --
    "What do you want me to do? Whack a guy? Off a guy? Whack off a guy? Cause I'm married."
  7. Re:DNS queries are for lamers by jovlinger · · Score: 3, Interesting

    ya know, that's not impossible these days.
    What with the private subnets you can't get to, and coorporations buying up whole class IP blocks, you're not going to need to map every single IP to a set of names.

    Say you need to map 2**30 names. Give each name 256 bytes to list the hosts using that ip. You've just used 256GB. Alot, yes, but I'm willing to bet at least one person reading this has that much storage dedicated to MP3s.

  8. Another great source for broken DNS. by FreeLinux · · Score: 4, Interesting

    I'm surprised that they did not mention massive numbers of "broken" requests from Windows 2000/XP systems. I see this all the time due to misconfigurations. Administrators often set up the Windows 2000 DNS servers incorrectly and Windows 2000/XP systems(workstations and servers) configured such that they constantly try dynamic DNS updates to the wrong DNS servers, even the root servers.

    Linux too, has some issues here. Obviously misconfigured DNS servers will always be a problem but, distros like Red Hat have IPv6 support compiled into the BIND RPM, this results in an IPv6 formatted query folllowed by an IPv4 query for every request.

  9. Unnecessary Queries? by Eskarel · · Score: 3, Interesting
    About 70 percent of all the queries were either identical, or repeat requests for addresses within the same domain. It is as if a telephone user were dialing directory assistance to get the phone numbers of certain businesses, and repeating the directory-assistance calls again and again.

    This is somewhat of an invalid metaphor for both the way dns works, and the way computer caching works. Pretty much every local DNS server(unless my information is wrong), has some sort of caching system of varying degrees of efficiency. The problem is that unlike humans who are more likely to remember things if they are repeated, caching usually just consists of a series of entries which can quite easily be overwritten, older entries will be overwritten if they aren't updated or caching would never work for new frequently accessed sites. It's quite easy to get an access pattern which would remove even the most frequently accessed files from a list especially on a server with a great deal of users. By providing different servers for each chunk of users you can diminish this problem but then you'll get requests from each server. DNS is an ugly system because it does and ugly job.

  10. DNS2 by emil · · Score: 3, Interesting

    Really, we should have some sort of gnutella-like system for distributing zone files. The problem with DNS is that it was designed a LONG time ago before the more recent advances in P2P networks.

    There shouldn't be much argument at this point that we need DNS2 - the current system is vulnerable to attack.

    The problem is that, if you distribute zone files (or pieces of zone files) among a loosely-connected network, then you will need to establish trust. These zone files would have to be signed, and the certificate authority then becomes the bottleneck.

    It hurts my head.